CVE-2021-35621 in MySQL Cluster
Summary
by MITRE • 10/20/2021
Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/26/2021
The vulnerability identified as CVE-2021-35621 represents a significant security flaw within Oracle MySQL Cluster implementations that affects multiple version branches including 7.4.33 and earlier, 7.5.23 and earlier, 7.6.19 and earlier, and 8.0.26 and earlier. This weakness resides in the Cluster: General component of the MySQL Cluster product, which serves as the foundational infrastructure for distributed database operations. The vulnerability's classification as difficult to exploit indicates that while it requires specific conditions to be successfully leveraged, the potential impact is severe enough to warrant immediate attention from security professionals. The attack vector requires an adversary to have physical access to the communication segment connected to the hardware hosting the MySQL Cluster, establishing a baseline of network-level compromise that significantly reduces the attack surface but does not eliminate the threat entirely.
The technical nature of this vulnerability stems from insufficient security controls within the cluster's communication protocols, particularly concerning authentication and authorization mechanisms that govern access to cluster resources. The CVSS 3.1 score of 6.3 reflects the moderate severity level, with high impacts across all three core security principles: confidentiality, integrity, and availability. The attack requires a high privileged attacker who already possesses access to the physical communication segment, indicating that this vulnerability would typically be exploited by insiders or attackers who have gained physical access to network infrastructure. The requirement for human interaction beyond the initial attacker access suggests that additional steps or conditions must be met to fully compromise the system, potentially involving social engineering or exploitation of human factors in addition to technical vulnerabilities. This human interaction component makes the vulnerability somewhat less automated but still highly concerning given the potential for complete cluster takeover.
The operational impact of successfully exploiting CVE-2021-35621 could be devastating for organizations relying on MySQL Cluster for critical database operations. A successful compromise would result in full takeover of the MySQL Cluster, enabling attackers to access, modify, or destroy all database contents while potentially disrupting business operations across dependent applications and services. The confidentiality impact is high as attackers would gain access to all data stored within the cluster, including sensitive customer information, financial records, or proprietary business data. The integrity impact is equally severe, as attackers could modify database records, corrupt data structures, or manipulate cluster configuration settings to maintain persistence or hide their activities. The availability impact extends to complete service disruption, as attackers could disable cluster functionality or cause system crashes that would prevent legitimate users from accessing critical database services. This vulnerability aligns with CWE-284 (Improper Access Control) and potentially CWE-310 (Cryptographic Issues) depending on the specific implementation details, and could map to ATT&CK techniques involving privilege escalation and persistence mechanisms.
Organizations should implement immediate mitigations including network segmentation to isolate MySQL Cluster components from general network traffic, enhanced monitoring of cluster communication protocols, and implementation of additional authentication layers beyond the default cluster mechanisms. Regular security audits should verify that cluster configurations comply with security best practices, particularly regarding access controls and network isolation. The recommended approach involves upgrading to patched versions of MySQL Cluster where available, as Oracle has likely released updates addressing this specific vulnerability. Network administrators should also consider implementing intrusion detection systems specifically configured to monitor for unusual cluster communication patterns that might indicate exploitation attempts. Additionally, organizations should conduct regular security awareness training to reduce the risk of social engineering attacks that could complement this technical vulnerability. The combination of technical controls and human factor awareness creates a comprehensive defense strategy against exploitation of this vulnerability, as the requirement for human interaction means that social engineering elements could be exploited to facilitate successful attacks.